The other day I came across the suggestion that it it more secure to build everything into your app, rather than rely on shared libraries.

Isn't that just saying that code re-use is bad practice because it equates to vulnerability re-use? Safer to bloat the install.

Thinking of the relative security reputations of some well-known platforms and their relative tendencies for developers to depend on shared libraries, I find this a difficult idea to justify based on evidence.

If 100 instances of the same library are compiled separately into 100 apps, where is the benefit over installing once and linking from those 100 apps?

And doesn't it also depend rather heavily on the experience and professionalism of the shared library developers vs. the app developers? I'd trust a 15-year old maintenance team over a shiny new script kiddie any day.

I kind of smell subversive FUD at work - "You can trust our shiteware approach, honest. Far better than that other competitior - just read this security analysis my salesman wrote." sort of thing.

The reason is that a very large percentage on here have no idea
what a shared library is.

What happens when a shared library becomes corrupt?
What happens when a shared library is updated?
What happens when a shared library is no-longer needed
in the latest OS incarnation?
Although not a library situation remember SNDREC32.EXE in XP
and below, but not in Vista and higher.......

You see my point.

I suspect that a library that has stood the test of time is pretty much
bullet proof AFA security is concerned. However sometimes they get
major code changes that not only affect countless apps that depend
on them but also break security and reliability.

guy wrote:Isn't that just saying that code re-use is bad practice because it equates to vulnerability re-use?

If that is true, it also equates to re-use of vulnerability fixes.

If you have 100 apps all with their own statically compiled version of a library and a vulnerability is found and fixed, you have to wait for all 100 projects to update their code before you are safe from that vulnerability.

The same applies to other improvements to the code, be it bug fixes or better performance.

"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)

Shared code may mean multiple vulnerabilities, but it also means multiple eyes on it.
The old "security by obscurity" argument is why Windows has become such a pile of dudu over the years.
Anyway, every current OS uses shared libraries, and yet some are much more secure than others, so that sort of wrecks the argument, really.

The sig between the asterisks is so cool that only REALLY COOL people can even see it!